httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 45054] New: SSLVerifyClient optional_no_ca is broken
Date Wed, 21 May 2008 09:29:41 GMT

           Summary: SSLVerifyClient optional_no_ca is broken
           Product: Apache httpd-2
           Version: 2.3-HEAD
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl

The documented behavious for the option 'optional_no_ca' is that if the return
of SSL_Accept valid this predicate:
ssl_private.h:#define ssl_verify_error_is_optional(errnum) \
ssl_private.h-   ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \
ssl_private.h-    || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \
ssl_private.h-    || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \
ssl_private.h-    || (errnum == X509_V_ERR_CERT_UNTRUSTED) \
ssl_private.h-    || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
then the error code in SSL_VERIFY_CLIENT should be "FAILED:(an error message)"

This functionality is very useful to use certificate as an user-centric
authentication token, why forbid it with this code from ssl_engine_io.c:
        if (ssl_verify_error_is_optional(verify_result) &&
            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
            /* leaving this log message as an error for the moment,
             * according to the mod_ssl docs:
             * "level optional_no_ca is actually against the idea
             *  of authentication (but can be used to establish
             * SSL test pages, etc.)"
             * optional_no_ca doesn't appear to work as advertised
             * in 1.x
            ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
                          "SSL client authentication failed, "
                          "accepting certificate based on "
                          "\"SSLVerifyClient optional_no_ca\" "
            ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
look that we don't reset the result to something good like X509_V_OK.

And this code that return the value of SSL_VERIFY_CLIENT:
    if (vrc == X509_V_OK && verr == NULL && vinfo == NULL && xs ==
        /* no client verification done at all */
        result = "NONE";
    else if (vrc == X509_V_OK && verr == NULL && vinfo == NULL &&
xs != NULL)
        /* client verification done successful */
        result = "SUCCESS";
    else if (vrc == X509_V_OK && vinfo != NULL && strEQ(vinfo, "GENEROUS"))
        /* client verification done in generous way */
        result = "GENEROUS";
        /* client verification failed */
        result = apr_psprintf(p, "FAILED:%s", verr);

    if (xs)

The third condition can never happen as vrc will be OK and vinfo == GENEROUS at
the same time.
Two approaches:
- reset the result code (we loss information), with a
  SSL_set_verify_result(ssl, X509_V_OK); inside the first extracted code.
- change third condition with this patch:
        -    else if (vrc == X509_V_OK && vinfo != NULL && strEQ(vinfo,
        +    else if (ssl_verify_error_is_optional(vrc) && vinfo != NULL &&
strEQ(vinfo, "GENEROUS"))
 - bonus point would be to return the result code inside another variable and
   completely removing the optional_no_ca option, web app could just use
   optional and choose actions in function of SSL_VERIFY_CLIENT == FAILED and
   the error code.

What do you think ?

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message